Managing sensitive data securely with secrets
Secrets are objects that contain sensitive data, such as passwords, tokens, credit card numbers, or any other data that shouldn't be exposed. You can store secrets in the BlazeMeter default vault, or in an external vault. By using secrets, you do not have to hard code any sensitive data into your test scripts. Whenever an enabled secret appears in reports or logs during and after run time, the value of the secret is replaced with asterisks (*).
To use external vaults and secrets, you need to create them in your workspace settings. To learn more about vaults and secrets in your workspace, see Create and manage vaults.
If your test scenarios require the use of secrets, such as API keys, token, or credentials, be sure that:
- only production and non-sensitive secrets are used.
- all secrets are strictly limited in scope and privilege, and access only test-specific resources or data.
- secrets should be temporary and rotated regularly.
- you avoid the use of secrets that provide access to productions environments or sensitive customer data.
Use secrets to your test script
Once you created the secrets in your workspace, you can use them in your test script.
Use secrets in JMeter
In JMeter, you can reference a configured secret using the prefix BZM_SECRET. Add a default value to your secret after the secret name.
${__P(BZM_SECRET_secret1)}
Secrets included in your test script are automatically detected when you upload your test script when your test script is written in JMeter. The Secrets section appears as enabled, but is read only.
If no secrets are detected in your JMeter script, you can manually choose which secrets to include.
Use Secrets in a JMeter script that references other scripts
You can use secrets in your JMeter test script that reference other scripts. The following examples show a script that references a Python script.
execution:
- executor: locust
concurrency: 10
locations:
us-east4-a: 1
ramp-up: 1m
hold-for: 5m
scenario: load_test
scenarios:
load_test:
script: secrets_locust.py
vault-integration: 68f4b9f8e205c2e49e077c05
secrets:
- secret1
Python script with secrets
import os
from locust import HttpUser, task, between
class LoadTest(HttpUser):
host = "https://blazedemo.com"
wait_time = between(1, 3)
def on_start(self):
self.base_url = "https://blazedemo.com"
self.endpoints = ["/login"]
self.secret = os.getenv("BZM_SECRET_secret1", "value")
self.endpoints.append(f"/echo.php?echo={self.secret}")
@task
def perform_requests(self):
for endpoint in self.endpoints:
self.client.get(endpoint)
Manually enable secrets
You can manually enable secrets when:
-
using executors other than JMeter. Because BlazeMeter cannot automatically detect secrets that are not written in JMeter, you need to configure the secrets in your workspace settings and then enable them manually.
-
you want to enable Secrets due to the possibility of sensitive data showing in test results or logs. Any selected secrets that appear in your test results or logs are replaces with asterisks (*).
To enable the Secrets section and choose which configured secrets to include in your test:
-
On the test configuration page, scroll to the Secrets section and toggle the button ON.
-
(Optional) Choose the Secret source. If you don't have any external vaults integrated, leave the default secret source.
-
Select all relevant secrets for your test script. Search for secrets using the search bar. To only show the secrets you have already selected, click Show Selected Secrets.
You can change the secret source after selecting secrets to view secrets from another source. However, if you select secrets from a different source, all previously selected secrets are cleared.